- From: Tom Ritter <tom@ritter.vg>
- Date: Tue, 27 Mar 2012 17:00:45 -0400
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 27 March 2012 16:37, Daniel Veditz <dveditz@mozilla.com> wrote: > On 3/26/12 3:27 PM, Hill, Brad wrote: >> * We have heard reports that the META tag is used to delay policy >> enforcement: to pre-load some resources outside of CSP >> restrictions, then inject it into a page to "lock it down". If >> this is to be a supported use-case, I think we need to update the >> spec to make this very explicit. > > While sites might use that approach as a transitional device, I > don't think it should be an explicitly supported use-case. The only > safe way to use a <meta> policy is to put it first(-ish) in the > document to minimize the risk of content injection that could negate it. I was likewise kind of surprised this was used and reliable enough to be even quasi-recommended or suggested, but not having tested it at all, I didn't want to be the first to say so. -tom
Received on Tuesday, 27 March 2012 21:01:34 UTC